In 2012 Morgan Stanley avoided prosecution under the Foreign Corrupt Practices Act (FCPA) for the actions of a rogue manager. It did so by showing the U.S. Securities and Exchange Commission (SEC) how seriously it had put in place anti-corruption measures, despite the fact that those measures had failed in this case.
The UK Bribery Act (UKBA) says that companies are automatically criminally liable for any proven bribery by their staff, agents or even joint venture partners unless they can show they had in place "adequate procedures" to prevent it. Therefore through "adequate procedures" both the FCPA and the UKBA offer companies somewhat of a "get out of jail card".
The Financial Times reported in December 2014 that a survey by GoodCorporation showed that many businesses were "failing to implement adequate controls to prevent corruption".
Businesses have always needed to protect themselves against fraud. However, today they must also protect themselves from the risk of bribery by their staff, their agents and their business partners. The question is, to what extent can and should they use technology for this purpose? This blog considers these issues.
Under the UKBA there are five principles that constitute “adequate procedures”. They are:
- Top level commitment. The company's top management must show it is committed to preventing bribery – ‘tone from the top, but implemented from the middle’
- Risk assessment. An organisation must analyse and understand the bribery risks it faces – geographical and sector
- Policies and procedures. Policies and procedures, proportionate to the risks, must be developed and be clear, practical, implemented and enforced
- Due diligence. Appropriate risk based due diligence must be carried out on all business relationships
- Communication. The anti-bribery message must be communicated through the organisation by internal training, support and reporting.
However, just putting all of the above in place won't be enough. A ‘Principle 6’ is required, which is for organisations to continuously monitor and review their policies and procedures for effectiveness. They must have "systems set up to deter, detect and investigate bribery and monitor the ethical quality of transactions" (Ministry of Justice 2010 Guidance on Principle 6)
What does monitor and review require?
Essentially it is checking to see if your anti-bribery systems are working and then adjusting and upgrading as needs be;
- Review. Keeping policies and procedures under review for effectiveness
- Financial monitoring. Watching for irregularities, patterns, relationship networks and areas of risk through transaction analysis
- Awareness of the rogue. Recognising that rogue employees, who study and try to evade all protective systems, will always exist
- Constant improvement. What was "adequate" one year may not be adequate the next.
When does it make sense or become necessary to apply technology solutions as part of your ‘adequate procedures’?
This is, to a degree, subjective and depends on what is proportionate for the organisation concerned taking into account the level of risk, the size and resources of the organisation, the effectiveness and the cost of the technology.
As technology gets more sophisticated and as the price of a given solution falls, what might have been considered disproportionate one year, and therefore outside the adequate procedures requirement, might not be the next.
Businesses should therefore track developments in technology to ensure they are not missing proportionate solutions which have become a necessary part of the adequate solutions defence both in the UK and worldwide.
As stated above businesses have always needed to protect themselves against fraud. Today they must also protect themselves from the risk of corruption.
The question is, how far can technology help with both?